From nobody Thu Mar 5 06:30:49 2026 Received: from mail-wr1-f65.google.com (mail-wr1-f65.google.com [209.85.221.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C7D681BD9C9 for ; Mon, 16 Feb 2026 21:17:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.65 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771276635; cv=none; b=N3Vv2esroz7iRvtYJDiAMo2xe8RHb04Unt2KG/8PfY0tLLnruVtOnwm/HyCBlPzAD43q4S/bmPQwU9eX+cg9lxfyZRo+vHEkSbrrpvQLxiGmRpg3jsawBI7d/YA4miGBezNkoUdvYHBqICy4tbQf6x9CJBzBC5sTkuWCD9e/esE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771276635; c=relaxed/simple; bh=PHuRTWn3LLSApQ8KhA+0Fhp++y2aTZ5MBIrR34sa08M=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=jpqd+UjBIGh45Faemm1aiNwSM+Ld7msLIZ+/fRcSwHwMYNcE8aOtb/zi2oYfVblOgfJFTNDEuLGn81IoTdoe74XsDssqC6lILY2ouimtypqoiO7L3pm9s/PoSTJtHPEkwwoLZhCcl7Kgz+OkT56f1RZEQkv+cBaBvSL5vTBV7e0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=igke/t8o; arc=none smtp.client-ip=209.85.221.65 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="igke/t8o" Received: by mail-wr1-f65.google.com with SMTP id ffacd0b85a97d-43767807da6so2506602f8f.2 for ; Mon, 16 Feb 2026 13:17:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1771276632; x=1771881432; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=hl5mbnNyuPCNXoCUnQoB64+0pXNQpBtlWAy/l88YWm4=; b=igke/t8ovZSNIA0vxu833hgrKAcUxjgDeQJemV54v3O4nLIgTyW+iKQA9J9S3ap34C ARHasrVyo+NgPqWDqmRU8ChnVG5ujSERcyv5wSbENbZEYOxXpY2vMhALI1YJNivFf78m BvPVx7pvwAeF3KXU9IUUddZvHN8xtCea7zxEfULJ3PNPvJar1O/QNS1zS26ALUut7Z4J 3V5N4gbB4uM+QEW2OxJ1ZjtmeHkdWrZpJ3ZrWYcIsa6cORp+oSrEJAFIMK6fUwAWVAGX /mu+nKi8z6LgH6F+ZyTrY1fIU6Th5Ep8na5L6BXWYoHQdjm2vzPYMh7HGypYexvQ85Fv LThg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771276632; x=1771881432; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=hl5mbnNyuPCNXoCUnQoB64+0pXNQpBtlWAy/l88YWm4=; b=tl4bxv6fzjngw1zea9XiCBEy8I532HbI8N5dsb9GG1LnG5roRJbFYIlYagnw41ZOln xcQw/JrefzDr/ZhKPJw4S9aHgPcYhzWfk1WGdO4TDTeKlkDdB/8iuYx6Ei3EEWXzjLjM CxhzKoiImGhC2UEC4IjeCvsXyWUSO5vq5CpBLWFMCF2nVIyuTB2T0oyM6h5bQfWofN1I Ij3LALAUULDNkElj6tGdhe57vJpb75l8BNXvYQGl71jVNQBbIUCFNm7zDPgwgxibtJ8s 0lfFwMd1TihVPOVE6QrAJpaYEV17HJ1WXrt18s53QRjmnBuq7ybPIQgVW4CkzcuyCPWe 8Zfw== X-Forwarded-Encrypted: i=1; AJvYcCUO70+pqOZUWZeeSgxeQDTX0qbWPfSmlMllW9w7jfK4RzPe6U6Iv1+pkbLwo1Cu1Qg0IYAelPS6LWiiTU0=@vger.kernel.org X-Gm-Message-State: AOJu0YzYRyUV6Kudtq3un2qDEyQqFA4vf2qKShsGduzGlbE6vWJ+Cnl6 FN8guD2+ovlmjRPMC1svoaAYJwYy987Aa/xARjQw5LRSKHXOSgaO1GJS X-Gm-Gg: AZuq6aK/svlDF445t/ujcut1ZwZMGpm3/90tga2+0KTY6G02gyl+KMsd/u72ReU86Em VrTp6PbzXHD8Vf0QGiYiTGKAol07dnZa/VSGz+lfTay8D04If7ugEIYme/A6knM7IoBXOTX47BJ gi/3ZxBGar8Ma8usX5OS5doJtgRvXj13666VPNKHi53O0wnCZxEJ/ZhzXBYWjY75VEvrD4SCu97 crOeEJuJa1BUwNq3+sp3OaAlThRSXkToBUglSkTyYeF506k0mO4je08QJyb5tx/xizgOoDHMVwg SjhDMQHuyx2kV3bJnvUzAWNm8WEkXPkjhk2P90WA1jnOQda+tdOq+8G8LrcbKKJSWzoWi7G4BIY 9qJoOtEx5Ll/wpivfcwvup3/LZuLJLCluPR7aEZakf2NSaSuNg5vc599JrTPxXoGcWLfT6ntYkG BH+lK+Q/U5EHnYhhzbU1B6GaH/yI6I/4v//HM= X-Received: by 2002:a05:6000:40df:b0:436:30e1:6c1 with SMTP id ffacd0b85a97d-437978c0b73mr23195099f8f.5.1771276631967; Mon, 16 Feb 2026 13:17:11 -0800 (PST) Received: from masalkhi ([2a02:3037:26d:2bf3:2828:10ac:606c:9bf3]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43796ad112bsm30018765f8f.36.2026.02.16.13.17.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 16 Feb 2026 13:17:11 -0800 (PST) From: Abd-Alrhman Masalkhi To: dwlsalmeida@gmail.com, mchehab@kernel.org, linmag7@gmail.com, thomas.weissschuh@linutronix.de Cc: linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, Abd-Alrhman Masalkhi , syzbot+96f901260a0b2d29cd1a@syzkaller.appspotmail.com Subject: [PATCH] media: vidtv: fix uninitialized args.buf_sz passed by value Date: Mon, 16 Feb 2026 22:17:03 +0100 Message-ID: <20260216211703.3702-1-abd.masalkhi@gmail.com> X-Mailer: git-send-email 2.51.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" vidtv_ts_null_write_into() takes null_packet_write_args by value, causing MSAN to report an uninit-value warning on buf_sz inside the function. Fix by passing the struct by pointer instead, avoiding the stack copy entirely. Reported-by: syzbot+96f901260a0b2d29cd1a@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D96f901260a0b2d29cd1a Fixes: cd7a5651db26 ("alpha: add missing address argument in call to page_t= able_check_pte_clear()") Signed-off-by: Abd-Alrhman Masalkhi --- drivers/media/test-drivers/vidtv/vidtv_mux.c | 2 +- drivers/media/test-drivers/vidtv/vidtv_ts.c | 18 +++++++++--------- drivers/media/test-drivers/vidtv/vidtv_ts.h | 2 +- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/drivers/media/test-drivers/vidtv/vidtv_mux.c b/drivers/media/t= est-drivers/vidtv/vidtv_mux.c index f99878eff7ac..67a580396112 100644 --- a/drivers/media/test-drivers/vidtv/vidtv_mux.c +++ b/drivers/media/test-drivers/vidtv/vidtv_mux.c @@ -363,7 +363,7 @@ static u32 vidtv_mux_pad_with_nulls(struct vidtv_mux *m= , u32 npkts) args.continuity_counter =3D &ctx->cc; =20 for (i =3D 0; i < npkts; ++i) { - m->mux_buf_offset +=3D vidtv_ts_null_write_into(args); + m->mux_buf_offset +=3D vidtv_ts_null_write_into(&args); args.dest_offset =3D m->mux_buf_offset; } =20 diff --git a/drivers/media/test-drivers/vidtv/vidtv_ts.c b/drivers/media/te= st-drivers/vidtv/vidtv_ts.c index ca4bb9c40b78..7e6e92503fb8 100644 --- a/drivers/media/test-drivers/vidtv/vidtv_ts.c +++ b/drivers/media/test-drivers/vidtv/vidtv_ts.c @@ -48,7 +48,7 @@ void vidtv_ts_inc_cc(u8 *continuity_counter) *continuity_counter =3D 0; } =20 -u32 vidtv_ts_null_write_into(struct null_packet_write_args args) +u32 vidtv_ts_null_write_into(struct null_packet_write_args *args) { u32 nbytes =3D 0; struct vidtv_mpeg_ts ts_header =3D {}; @@ -56,21 +56,21 @@ u32 vidtv_ts_null_write_into(struct null_packet_write_a= rgs args) ts_header.sync_byte =3D TS_SYNC_BYTE; ts_header.bitfield =3D cpu_to_be16(TS_NULL_PACKET_PID); ts_header.payload =3D 1; - ts_header.continuity_counter =3D *args.continuity_counter; + ts_header.continuity_counter =3D *args->continuity_counter; =20 /* copy TS header */ - nbytes +=3D vidtv_memcpy(args.dest_buf, - args.dest_offset + nbytes, - args.buf_sz, + nbytes +=3D vidtv_memcpy(args->dest_buf, + args->dest_offset + nbytes, + args->buf_sz, &ts_header, sizeof(ts_header)); =20 - vidtv_ts_inc_cc(args.continuity_counter); + vidtv_ts_inc_cc(args->continuity_counter); =20 /* fill the rest with empty data */ - nbytes +=3D vidtv_memset(args.dest_buf, - args.dest_offset + nbytes, - args.buf_sz, + nbytes +=3D vidtv_memset(args->dest_buf, + args->dest_offset + nbytes, + args->buf_sz, TS_FILL_BYTE, TS_PACKET_LEN - nbytes); =20 diff --git a/drivers/media/test-drivers/vidtv/vidtv_ts.h b/drivers/media/te= st-drivers/vidtv/vidtv_ts.h index 09b4ffd02829..28da15dcc697 100644 --- a/drivers/media/test-drivers/vidtv/vidtv_ts.h +++ b/drivers/media/test-drivers/vidtv/vidtv_ts.h @@ -90,7 +90,7 @@ void vidtv_ts_inc_cc(u8 *continuity_counter); * * Return: The number of bytes written into the buffer. */ -u32 vidtv_ts_null_write_into(struct null_packet_write_args args); +u32 vidtv_ts_null_write_into(struct null_packet_write_args *args); =20 /** * vidtv_ts_pcr_write_into - Write a PCR packet into a buffer. --=20 2.43.0